Iptables is a powerful firewall built into the Linux kernel and is part of the netfilter project. It can be configured directly, or by using one of the many frontends and GUIs. iptables is used for ipv4 and ip6tables is used for ipv6.

Basic concepts

tables

chains

This article or section needs expansion.

Reason:please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Iptables#)

Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: INPUT, OUTPUT and FORWARD. All outbound, locally-generated traffic passes through the OUTPUT chain, all inbound traffic addressed to the machine itself passes through the INPUT chain, and all routed traffic which should not be delivered locally passes through the FORWARD chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient.

targets

A "target" is the result that occurs when a packet hits a rule. Targets are specified using "jump" (-j). The most common targets are ACCEPT, DROP, REJECT and LOG.

modules

There are many modules which can be used to extend iptables such as connlimit, conntrack, limit and recent. These modules add extra functionality to allow complex filtering rules.

Configuration

From the command line

You can check the current ruleset and the number of hits per rule by using the command:

Configuration file

The configuration file at /etc/conf.d/iptables points to the location of the configuration file. The ruleset is loaded when the daemon is started.

/etc/conf.d/iptables

# Configuration for iptables rules
IPTABLES_CONF=/etc/iptables/iptables.rules
IP6TABLES_CONF=/etc/iptables/ip6tables.rules
# Enable IP forwarding (both IPv4 and IPv6)
# NOTE: this is not the recommended way to do this, and is supported only for
# backward compatibility. Instead, use /etc/sysctl.conf and set the following
# options:
# * net.ipv4.ip_forward=1
# * net.ipv6.conf.default.forwarding=1
# * net.ipv6.conf.all.forwarding=1
#IPTABLES_FORWARD=0

Guides

Logging

The LOG target can be used to log packets that hit a rule. Unlike other targets like ACCEPT or DROP, the packet will continue moving through the chain after hitting a LOG target. This means that in order to enable logging for all dropped packets, you would have to add a duplicate LOG rule before each DROP rule. Since this reduces efficiency and makes things less simple, a LOGDROP chain can be created instead.

Limiting log rate

The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your /var partition) by causing writes to the iptables log.

-m limit is used to call on the limit module. You can then use --limit to set an average rate and --limit-burst to set an initial burst rate. Example:

-A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG

This appends a rule to the LOGDROP chain which will log all packets that pass through it. The first 10 packets will the be logged, and from then on only 5 packets per minute will be logged. The "limit burst" is restored by one every time the "limit rate" is not broken.

syslog-ng

Assuming you are using syslog-ng which is the default in Archlinux, you can control where iptables' log output goes this way: